Privacy Laws: How the US, EU and others protect IoT data (or don't)

Rules about data security can vary widely. Here's a look at laws in place in the US, the EU, Canada, APAC, and more.
Written by Amy Talbott, Contributor
Image: Boris Zerwann

Most countries have no laws that specifically mention IoT devices, so general privacy laws -- many of which went on the books before anyone had heard of the term 'IoT' -- apply when a company wants to collect data from users.

These privacy laws vary from country to country, which can be a challenge. For example, U.S.-based companies used to be able to easily collect data from users in the EU, where data privacy laws are stricter, if they were certified under a program called Safe Harbor. But late last year, the EU declared Safe Harbor invalid. So, said Kate Lucente, a US attorney who works with data privacy issues, "companies have had to scramble to put some backup mechanism in place to make the data transfers legal."

Here's a look at some of the laws currently in place in countries and regions around the world:

United States

Mark Radcliffe, an attorney in Silicon Valley who works with issues related to IoT, compared regulations in the U.S. to a Rubik's Cube because there can be so many moving parts. There are federal privacy laws (like The Privacy Act of 1974) and laws that vary by state. According to the National Conference of State Legislatures website, 31 states have data disposal laws and 47 states have security breach notification laws, but the laws are not uniform. California, which goes further than many other states in terms of data privacy, even has a law about collecting data from internet-connected televisions. Data privacy is also regulated by specific laws like HIPPA for healthcare devices and the Children's Online Privacy Protection Act if the user is under 13.

It's not binding law, but last year, the Federal Trade Commission issued a report containing best practices for protecting user data, aimed at companies who make IoT-connected devices. The recommendations included designing devices with data security in mind (something Radcliffe said he sees companies not doing on a regular basis), conducting tests of security measures on a regular basis, not collecting more data than necessary, and displaying privacy information in a way that's easy to understand and appropriate for the device -- that is, a short, simple notification on wearable devices.


In Canada, a federal law called the Personal Information Protection and Electronic Documents Act (PIPEDA) sets rules on how companies who collect personal data should protect it. The law requires companies to do things like create a privacy management program, limit collection, use and retention of data, give users access to information that the company has about them and provide a way for users to file complaints with the company.

Like U.S. states, Canadian provinces can create their own privacy laws and three of them, Alberta, British Columbia and Quebec, have done so. Kirsten Thompson, who specializes in technology law in Toronto, said that each province also has its own laws around personal health information and one province, Alberta, has a mandatory data breach notification law.


When the EU passed a Data Protection Directive in 1995, the term IoT didn't even exist, but companies making or selling IoT devices in EU countries are expected to play by the rules laid out in the document. Those rules include things like only collecting data for relevant purposes, taking measures to secure users' data and only collecting data after users have given their informed consent. The directive also states that users should be able to have inaccurate or old data about themselves erased.

But since since it's up to countries to figure out how to implement rules set by EU directives, there's currently a patchwork of data privacy laws. In December of last year, the European Commission passed the General Data Protection Regulation to standardize data privacy laws across the EU. They won't take effect until 2017, but according to a fact sheet from the European Commission, users can expect greater control over their personal data and device makers will have stricter requirements to build data protection into their devices from the very beginning of the design process.


Two main federal laws apply to IoT data collected in Australia: the Privacy Act of 1988 and Telecommunications Act passed in 1997. Under the Privacy Act, most companies are required to comply with privacy principles when collecting information that could identify a user personally. The privacy principles require companies to do things like establish a privacy policy, give users the option of remaining anonymous when possible, keep users' personal data secure, notify users about the information they're collecting and give them access to their data. According to the Australian Information Commissioner's website, privacy requirements are more stringent for organizations collecting sensitive information, which includes health data. The Telecommunications Act requires service providers to keep contents of communications information about customers confidential. There is also an Australian Telecommunications Consumer Protection Code which also holds providers responsible for the security of users' data.

One area where the law can be confusing is what counts as personal data under the Privacy Act. "It's a little tricky when data is being gathered and aggregated," said James Halliday, a Syndey-based attorney who works with telecommunications and IT issues. "Whether it applies comes down to asking the question, 'Can you reasonably identify the individual from this information or not?'"


According to a fact sheet by law firm DLA Piper, Mexico passed The Federal Law on the Protection of Personal Data held by Private Parties in 2010 and has issued several other guidelines on dealing with personal data in the past five years. Companies who collect personal data in Mexico are required to have a data protection officer or department and must also provide a privacy notice for users. As with many other countries where privacy laws are in place, organizations collecting personal data have to keep collection limited to specific purposes and cannot keep data longer than necessary.


Countries in this region, like China, Indonesia and India, have a lot of catching up to do, said Charles Anderson, Head of Mobility and IoT at IDC Asia/Pacific. "The governments tend to be pretty far behind in setting anything related to data privacy issues, and that ends up causing a lot of problems for enterprises when they want to move data around or want to collect data." Some exceptions Anderson pointed out are New Zealand, Singapore and Japan, all of which have data privacy laws similar to those in the EU and Australia.

Middle East

Few countries in this region have laws regarding privacy of data and access to information. According to the 2015 International Compendium of Data Privacy Laws by law firm BakerHostetler, Qatar and the UAE have laws in place that are similar to privacy laws found in other countries. Saudi Arabia has some laws regarding privacy and data collection, but they have no law about data security or notification of data breaches.

More IoT laws in the future?

Right now, privacy laws are all over the place worldwide, from regions like the EU where policies are well-developed and getting stricter, to regions like the Middle East where there are hardly any rules about data privacy protection.

But as IoT devices capable of collecting all kind of data at all times become more widespread, so might privacy laws. According to a Deloitte report on big data that came out in 2015, there were only 20 privacy laws worldwide in the 90s. There are over 100 now.

In the future, laws specifically pertaining to IoT devices may take effect as well. Giulio Coraggio, an Italian lawyer who focuses on tech, says the European Commission is currently considering whether to create IoT-specific legislation to deal with issues like the free flow of data, interoperability and authentication.

Editorial standards